Skip to content
Changelog Hub

jose 2.0.0

npm / jose / 2.0.0 source

⚠ BREAKING CHANGES

  • the JWE.decrypt option algorithms was removed and replaced with contentEncryptionAlgorithms (handles enc allowlist) and keyManagementAlgorithms (handles alg allowlist)
  • the JWT.verify profile option was removed, use e.g. JWT.IdToken.verify instead.
  • removed the maxAuthAge JWT.verify option, this option is now only present at the specific JWT profile APIs where the auth_time property applies.
  • removed the nonce JWT.verify option, this option is now only present at the specific JWT profile APIs where the nonce property applies.
  • the acr, amr, nonce and azp claim value types will only be checked when verifying a specific JWT profile using its dedicated API.
  • using the draft implementing APIs will emit a one-time warning per process using process.emitWarning
  • JWT.sign function options no longer accept a nonce property. To create a JWT with a nonce just pass the value to the payload.
  • due to added ESM module support Node.js version with ESM implementation bugs are no longer supported, this only affects early v13.x versions. The resulting Node.js semver range is >=10.13.0 < 13 || >=13.7.0
  • deprecated method JWK.importKey was removed
  • deprecated method JWKS.KeyStore.fromJWKS was removed
  • the use of unregistered curve name P-256K for secp256k1 was removed
  • jose.JWE.Encrypt constructor aad and unprotectedHeader arguments swapped places
  • jose.JWE.encrypt.flattened header (unprotectedHeader) and aad arguments swapped places
  • jose.JWE.encrypt.general header (unprotectedHeader) and aad arguments swapped places
  • JWS.verify returned payloads are now always buffers
  • JWS.verify options encoding and parse were removed

Features

  • added support for ESM (ECMAScript modules) (1aa9035)
  • decrypt allowlists for both key management and content encryption (30e5c46)

Bug Fixes

  • typescript: allow Buffer when verifying detached signature (cadbd04)
  • typescript: properly type all decode/verify/decrypt fn options (4c23bd6)

Refactor

  • encrypt APIs unprotectedHeader and aad arguments swapped (70bd4ae)
  • move JWT profile specifics outside of generic JWT (fd69d7f)
  • removed nonce option from JWT.sign (c4267cc)
  • removed deprecated methods and utilities (6c35c51)
  • removed payload parsing from JWS.verify (ba5c897)